DSPPRFAUT -- Display Profile Authorizations

DSPPRFAUT DISPLAY PROFILE AUTHORIZATIONS TAASEIW
The Display Profile Authorizations command displays one, generic, or all profiles and flags those where the PUBLIC or an authorized user has at least USE rights to the user profile. The owner, ALLOBJ users, and certain system profiles are bypassed. The user profiles that are flagged represent a security exposure as the PUBLIC or an authorized user can submit a job as the user profile or swap to the user profile. You must have ALLOBJ authority to use DSPPRFAUT. A typical command would be: DSPPRFAUT USRPRF(ALL) All user profiles would be listed along with the authorized users (the owning user profile would be bypassed). If a PUBLIC or authorized user has at least USE authority to the user profile, the user would be flagged. ALLOBJ users and certain system profiles are bypassed to avoid clutter. Allowing the PUBLIC or a specified user to have USE authority to a user profile, allows the PUBLIC or authorized user to: Submit a job naming the user profile. Swap to the user profile during the running of a job. Both of these possibilities represent a security exposure in most situations. In addition, a user can use WRKUSRPRF or DSPOBJD to see the names of the user profiles on the system. Flagging user profile owners ---------------------------- An option exists on the DSPPRFAUT to flag those user profiles that are not owned by a list of users. The default is DFT which means QSECOFR and QSYS. You may name up to 300 users. Some systems have a requirement that all user profiles be owned by designated profiles. It is not necessarily a security exposure to have a user profile owned by other that QSECOFR or QSYS, but allowing the flag to occur can simplify checking for exception situations. Running under a profile that adopts ALLOBJ ------------------------------------------- If DSPPRFAUT is run under a profile that adopts an ALLOBJ user, the user profile GROUP will be shown for the user when a command such as DSPOBJAUT is used for the profile. The GROUP name also appears in the internal file processed by DSPPRFAUT. Rather than clutter the listing with this information, the GROUP user profile is bypassed. DSPPRFAUT escape messages you can monitor for --------------------------------------------- None. Escape messages from based on functions will be re-sent. DSPPRFAUT Command parameters CMD ---------------------------- USRPRF The name or generic name of the user profile to be checked. ALL is the default for all user profiles. BYPOWN A YES/NO option for whether to bypass the owner which typically has all authority to the user profile. YES is the default. NO may be specified to include the owner information. AUTOWNERS A list of up to 300 owners may be specified to prevent flagging. The default is DFT which means QSECOFR and QSYS. If a user profile is not owned by a user in the list, the user profile is flagged. You may want to add your own list of valid user profiles that are allowed to own other profiles. REFRESH An option to determine if the DSPUSRPRF OUTFILE function is used to refresh the TAASECKP file in the TAASECURE library. The default is YES meaning the file will be refreshed. DAYCHG may be specified which means the file will be refreshed if the last time the file was output was on a different day. DAYCHG assumes that you are using the command repeatedly on the same day and do not want to keep refreshing the information. NO may be specified to use the existing data. If no data exists, the file is output. OUTPUT How to output the results. is the default to display the spooled file if the command is entered interactively. The spooled file is deleted after it is displayed. If the command is entered in batch or PRINT is specified, the spooled file is output and retained. Restrictions ------------ You must have ALLOBJ authority to use DSPPRFAUT. Prerequisites ------------- The following TAA Tools must be on your system: CHKALLOBJ Check ALLOBJ special authority CHKGENERC Check generic name CRTLFSRC Create logical file source CVTDAT Convert date CVTLIBAUT Convert library authorizations EXTLST2 Extract list 2 RMVMSGKEY Remove message key RTVSYSVAL3 Retrieve system value 3 SCNVAR Scan variable SNDCOMPMSG Send completion message SNDESCINF Send escape information SNDESCMSG Send escape message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DSPPRFAUT CMD TAASEIW QATTCMD TAASEIWC PGM CLP TAASEIWC QATTCL TAASEIWC2 PGM CLP TAASEIWC2 QATTCL TAASEIWR *PGM RPG TAASEIWR QATTRPG

DSPPRFAUT       DISPLAY PROFILE AUTHORIZATIONS         TAASEIW


The Display  Profile Authorizations command  displays one,  generic, or
all profiles  and flags those  where the *PUBLIC or  an authorized user
has  at least  *USE rights  to the  user profile.   The  owner, *ALLOBJ
users, and  certain system profiles  are bypassed.   The user  profiles
that are  flagged represent  a security exposure  as the *PUBLIC  or an
authorized  user can submit  a job as  the user profile or  swap to the
user profile.

You must have *ALLOBJ authority to use DSPPRFAUT.

A typical command would be:

             DSPPRFAUT  USRPRF(*ALL)

All user  profiles would  be  listed along  with the  authorized  users
(the  owning  user  profile  would  be bypassed).    If  a  *PUBLIC  or
authorized  user has at least  *USE authority to the  user profile, the
user would be flagged.  *ALLOBJ  users and certain system profiles  are
bypassed to avoid clutter.

Allowing the *PUBLIC  or a specified user  to have *USE authority  to a
user profile, allows the *PUBLIC or authorized user to:

  **   Submit a job naming the user profile.

  **   Swap to the user profile during the running of a job.

Both  of these  possibilities  represent  a security  exposure  in most
situations.

In  addition, a user can  use WRKUSRPRF or DSPOBJD to  see the names of
the user profiles on the system.

Flagging user profile owners
----------------------------

An option  exists on  the DSPPRFAUT to  flag those  user profiles  that
are not  owned by  a list of  users.  The  default is *DFT  which means
QSECOFR and QSYS.  You may name up to 300 users.

Some  systems have  a requirement  that all user  profiles be  owned by
designated profiles.   It  is not  necessarily a  security exposure  to
have a user profile  owned by other that QSECOFR  or QSYS, but allowing
the flag to occur can simplify checking for exception situations.

Running under a profile that adopts *ALLOBJ
-------------------------------------------

If DSPPRFAUT  is run under a  profile that adopts an  *ALLOBJ user, the
user profile *GROUP will be shown for  the user when a command such  as
DSPOBJAUT is  used for the  profile.  The  *GROUP name also  appears in
the  internal file  processed by  DSPPRFAUT.   Rather than  clutter the
listing with this information, the *GROUP user profile is bypassed.

DSPPRFAUT escape messages you can monitor for
---------------------------------------------

None.  Escape messages from based on functions will be re-sent.

DSPPRFAUT Command parameters                          *CMD
----------------------------

   USRPRF        The  name or  generic name of  the user  profile to be
                 checked.  *ALL is  the default for all user  profiles.

   BYPOWN        A  *YES/*NO option  for  whether to  bypass the  owner
                 which   typically  has  all   authority  to  the  user
                 profile.  *YES is the default.

                 *NO  may   be   specified   to   include   the   owner
                 information.

   AUTOWNERS     A  list  of up  to  300  owners  may be  specified  to
                 prevent  flagging.   The default  is *DFT  which means
                 QSECOFR and QSYS.

                 If a  user profile  is  not owned  by  a user  in  the
                 list, the user profile is flagged.

                 You  may want  to  add your  own  list of  valid  user
                 profiles that are allowed to own other profiles.

   REFRESH       An  option  to  determine  if  the  DSPUSRPRF  OUTFILE
                 function  is used to refresh  the TAASECKP file in the
                 TAASECURE library.   The default  is *YES meaning  the
                 file will be refreshed.

                 *DAYCHG  may be  specified which  means the  file will
                 be  refreshed if  the  last time  the file  was output
                 was on  a different  day.   *DAYCHG  assumes that  you
                 are using the  command repeatedly on the  same day and
                 do not want to keep refreshing the information.

                 *NO  may be specified  to use  the existing data.   If
                 no data exists, the file is output.

   OUTPUT        How to  output  the results.    * is  the  default  to
                 display the  spooled file  if the  command is  entered
                 interactively.   The spooled file is  deleted after it
                 is displayed.

                 If  the  command  is  entered in  batch  or  *PRINT is
                 specified, the  spooled file is  output and  retained.


Restrictions
------------

You must have *ALLOBJ authority to use DSPPRFAUT.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHKALLOBJ       Check *ALLOBJ special authority
     CHKGENERC       Check generic name
     CRTLFSRC        Create logical file source
     CVTDAT          Convert date
     CVTLIBAUT       Convert library authorizations
     EXTLST2         Extract list 2
     RMVMSGKEY       Remove message key
     RTVSYSVAL3      Retrieve system value 3
     SCNVAR          Scan variable
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DSPPRFAUT     *CMD                   TAASEIW       QATTCMD
   TAASEIWC      *PGM       CLP         TAASEIWC      QATTCL
   TAASEIWC2     *PGM       CLP         TAASEIWC2     QATTCL
   TAASEIWR      *PGM       RPG         TAASEIWR      QATTRPG

Added to TAA Productivity tools July 15, 2011

Home Page

Up to Top